struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Maurizio Cucchiara <mcucchi...@apache.org>
Subject Re: Concealing primary key in web application with struts 2 from security perspective?
Date Sun, 01 Dec 2013 08:59:44 GMT
The easiest way is to store the user id on the current session.
If you have no other alternatives and you have to pass the user id through
the request, then make the id unpredictable:
* use uuid
* rely on and check against one other value at least (for instance id+email)
* use cryptography (f.i. sha1(usr name, id, time, seed).

And, as already someone else said, struts doesn't have such builtin
functionality.
On 30 Nov 2013 18:17, "Mohit Gupta" <motgupta@gmail.com> wrote:

> Guys looks like i was not clear in my question earlier. My requirement is
> something like this
>
> i make a call to struts 2 action which forwards the request to customer.jsp
> which populates the fields from CustomerInfo.java (data object). Say
> CustomerInfo has a field customerId .Assume its value was 100 when response
> was sent to user on UI. But some hacker/user changes the value to 300 to
> see some unauthorize data.
>
> What i am trying to ask here does struts 2 provide any inbuilt interceptor
> so that it can track those secure fields(assume i have
> annotated customerId  with some annotation say @secureId) modification and
> throw error in case it is modified.
>
>
> On Sat, Nov 30, 2013 at 10:41 PM, Paul Benedict <pbenedict@apache.org
> >wrote:
>
> > Mohit, feel free to check out Spring Security. It works with any
> framework
> > to authenticate or authorize resources; it just becomes your
> responsibility
> > to configure it correctly.
> >
> >
> > On Sat, Nov 30, 2013 at 9:36 AM, Dave Newton <davelnewton@gmail.com>
> > wrote:
> >
> > > I don't see how it could, since there are an essentially unlimited
> number
> > > of back ends, authorization mechanisms, etc that would need to be
> > accounted
> > > for. Struts 2 is agnostic when it comes to basically everything but the
> > web
> > > layer.
> > >  On Nov 30, 2013 3:40 AM, "Mohit Gupta" <motgupta@gmail.com> wrote:
> > >
> > > > I agree its not a struts 2 issue. My intention of question is just to
> > ask
> > > > does struts 2 provide any kind of implementation off the shelf (some
> > kind
> > > > of interceptor or any other approach)to address this. Thanks in
> advance
> > > >
> > > >
> > > > On Sat, Nov 30, 2013 at 12:16 PM, Paul Benedict <
> pbenedict@apache.org
> > > > >wrote:
> > > >
> > > > > Exposing the primary key is not a security issue; you always have
> to
> > > key
> > > > > off something. What you need is business logic that ensures that
a
> > user
> > > > may
> > > > > only access what he may. That's not a Struts issue; it's logic that
> > you
> > > > > need to add in your business services.
> > > > >
> > > > >
> > > > > On Fri, Nov 29, 2013 at 11:24 PM, Mohit Gupta <motgupta@gmail.com>
> > > > wrote:
> > > > >
> > > > > > When you have internet facing application , its important not
to
> > > expose
> > > > > > direct object reference on UI to protect security
> > vulnerability(where
> > > > > user
> > > > > > can retrieve the unauthorized data by merely changing the primary
> > > key).
> > > > > > When you are righting the application from scratch there are
> > various
> > > > ways
> > > > > > you can handle it like :-
> > > > > >
> > > > > > 1)Handling at data layer where query has user id in where class.
> > user
> > > > id
> > > > > > should be picked from session
> > > > > >
> > > > > > 2)Maintaining the map reference map at server side . Key can
be
> > some
> > > > > number
> > > > > > generated based on some algo and value will be primary key.
Then
> > > expose
> > > > > > that number on ui . On server side get the value against that
> key.
> > > Even
> > > > > if
> > > > > > user manipulate the number corresponding value wont be found
and
> > > throw
> > > > an
> > > > > > error. Something like this.
> > > > > >
> > > > > > There will be other ways also.
> > > > > >
> > > > > > My question is there something of similar kind available in
> struts
> > 2
> > > > >  where
> > > > > > you can annotate the any field with primary key and it does
the
> > step
> > > 2
> > > > > for
> > > > > > you or any other implementation to abstract primary key.  Any
> > ideas?
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Cheers,
> > > > > Paul
> > > > >
> > > >
> > >
> >
> >
> >
> > --
> > Cheers,
> > Paul
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message